How Praxiko handles your data
Praxiko runs on regional cloud infrastructure with privacy-by-default settings. Today, all Praxiko data is hosted in Australia, in the Sydney region; as Praxiko opens new markets, each will get its own in-region data residency. The trust signals below are factual and mechanical — the practitioner interprets the data; Praxiko keeps the record.
Trust signals
Australian data residency
All practitioner and client data is stored in Supabase's Sydney region (ap-southeast-2). Data residency is locked at project creation — moving regions is not a configuration
toggle. This aligns with Australian Privacy Act expectations for handling health information
onshore.
HTTPS enforced at the TLD level
Praxiko runs on the .app top-level domain, which is on
the HSTS preload list — every major browser refuses to connect over plain HTTP regardless of how
a link is shared. There is no insecure path to Praxiko.
Encryption at rest and in transit
Database storage and managed object storage are encrypted at rest by default. All network traffic between client devices, Praxiko's edge, and the database is encrypted in transit over TLS.
Row-level access controls
Every table that touches user data is scoped at the database level by enterprise (clinic). Practitioners cannot read or write data outside the enterprise their hat belongs to, even if an application-layer bug attempted to. This is enforced by Postgres row-level security policies, not by application code alone.
Runs under your practice's name
Each practice's clients see their clinic, co-branded with Praxiko. Data is scoped and labelled to the clinic at the database level — one practice's records are never visible to another.
Authentication
Sign-in uses single-use one-time codes delivered by email. Sessions are validated server-side against Supabase Auth on every request — cookies alone are never trusted.
Stores and surfaces; doesn't interpret
Praxiko stores and surfaces clinical information. It doesn't score symptoms, generate treatment recommendations, or auto-flag check-in answers. The practitioner interprets; the software keeps the record. That line is deliberate — it keeps Praxiko on the right side of medical-device regulation, and it keeps the clinical judgement where it belongs. Australia is the current launch market; the AHPRA advertising guidelines shape what Praxiko publishes about regulated health services here, and equivalent regimes apply in other English-language jurisdictions.
Reporting a security issue
If you believe you've found a security vulnerability, email security@praxiko.app with details. Praxiko reviews reports promptly and will coordinate disclosure once a fix has shipped.